The world has changed dramatically in a short period of time – and with it the world of work. The new hybrid world of work remotely and in the office is having an impact on technology – cybersecurity in particular – and signals that the time has come to recognize how closely people and technology are really intertwined.
It is vital for fast-growing companies to enable a fast-paced, cloud-based collaboration culture and position it to innovate, outperform, and outsmart its competitors. Achieving this level of digital speed, however, brings with it a rapidly growing cybersecurity challenge that is often overlooked or neglected: insider risk if a team member inadvertently – or not – shares data or files outside trusted parties. Ignoring the intrinsic link between employee productivity and insider risk can affect both a company’s competitive position and bottom line.
You cannot treat employees as you treat nation-state hackers
Insider risk includes any user-controlled data exposure event – security, compliance, or competitive – that jeopardizes the financial, reputational, or operational well-being of a company and its employees, customers, and partners. Thousands of user-controlled data explosion and exfiltration events occur daily due to accidental user error, negligence by employees, or malicious users trying to harm the business. Many users inadvertently create inside risk by simply making, sharing, and collaborative decisions based on time and reward to increase their productivity. Other users pose risk through negligence, and some have malicious intent such as For example, an employee who steals company data to give to a competitor.
From a cybersecurity perspective, organizations need to treat insider risk differently from external threats. With threats like hackers, malware, and nation-state threat actors, the intent is clear – it’s malicious. But employee intent to create insider exposure is not always clear – even if the effects are the same. Employees can accidentally or negligently lose data. To fully accept this truth, security teams who have operated with a bunker mentality in the past must change their mindset – besieged from the outside and keep their cards close to their waistcoats so that the enemy does not see their defenses to use against them to use. Employees are not the opponents of a security team or a company – rather, they should be seen as allies in combating insider risk.
Transparency creates trust: building a basis for training
All companies want to prevent their crown jewels – source code, product designs, customer lists – from falling into the wrong hands. Imagine the financial, reputational, and operational risk that could arise from the leakage of essential data prior to an IPO, acquisition, or call for profit. Employees play a key role in preventing data leaks, and there are two critical elements to turning employees into insider risk allies: transparency and training.
Transparency can feel at odds with cybersecurity. For cybersecurity teams operating with an adversarial mindset appropriate to external threats, it can be challenging to approach internal threats differently. Transparency means building trust on both sides. Employees want to feel like their company trusts them in order to use data meaningfully. Security teams should always start from a place of trust, provided that most employee actions are with positive intent. But as they say in cybersecurity, it is important to “trust but verify”.
Monitoring is a critical part of managing insider risk and companies should be transparent about it. CCTV cameras are not hidden in public spaces. In fact, they are often accompanied by signs announcing surveillance in the area. Management should make it clear to employees that their data movements are being monitored, but that their privacy will still be respected. There is a big difference between monitoring data Move and read all employee emails.
Transparency creates trust – and based on that, a company can focus on minimizing risk by changing user behavior through training. Right now, safety education and awareness programs are a niche. Phishing training is probably the first thing that comes to mind as it was successful in moving the needle and getting employees to think before they click. Outside of phishing, there isn’t much training for users to understand what exactly they should and shouldn’t be doing.
Many employees do not even know where their organization is at first. Which applications can you use? What interaction rules apply to these apps if they want to use them to share files? What data can you use? Are you entitled to this data? Is the organization even interested? Cybersecurity teams deal with a lot of noise caused by employees doing things they shouldn’t. What if you could reduce that noise just by answering these questions?
Employee training should be both proactive and responsive. To proactively change employee behavior, organizations should offer both long and short training modules to remind and remind users of the best behaviors. Additionally, companies with a micro-learning approach should respond with bite-sized videos tailored to very specific situations. The security team needs to get a page out of marketing and focus on repetitive messages delivered to the right people at the right time.
When executives understand that insider risk is not just a cybersecurity problem, but is closely tied to corporate culture and has a significant impact on the business, they are in a better position to innovate, outperform, and outperform their business Competitors. In todays Hybrid remote and in-office working environment, the human element in technology has never been more important. For this reason, transparency and training are essential to keep data from leaking out.
This content was created by Code42. It was not written by the editorial staff of the MIT Technology Review.